Why can I not bypass the certificate error with HSTS?

HSTS is designed to prevent exactly this. It tells the browser to never accept an invalid certificate for the domain. This prevents man-in-the-middle attacks where an attacker presents a fake certificate.

What is a good max-age value for HSTS?

Start with 300 (5 minutes) for testing. Increase to 86400 (1 day), then 604800 (1 week), then 31536000 (1 year). The preload list requires a minimum of 31536000 (1 year).

HSTS Strict-Transport-Security Error — HTTPS Enforcement and Preload Issues

Error4xx client error

Overview

Fix HTTP Strict-Transport-Security (HSTS) errors including redirect loops, preload list issues, and certificate problems that block site access.

Key Details

HSTS forces browsers to use HTTPS for all future requests to the domain after the first visit
Once HSTS is set, browsers refuse to connect over HTTP and will not allow certificate exceptions
HSTS preload list inclusion makes the policy permanent — removal takes months
The max-age directive sets how long (in seconds) the browser enforces HTTPS-only access
Including includeSubDomains affects all subdomains, which can break non-HTTPS subdomains

Common Causes

HSTS header set with includeSubDomains but some subdomains do not have valid SSL certificates
Site added to HSTS preload list but later needs to serve HTTP content or downgrade
SSL certificate expired on a domain with HSTS enabled — browsers block access entirely with no bypass
HSTS redirect loop caused by HTTP-to-HTTPS redirect combined with incorrect HSTS configuration

Steps

1Ensure all subdomains have valid SSL certificates before adding includeSubDomains directive
2Start with a short max-age (300 seconds) and gradually increase after confirming HTTPS works everywhere
3Clear HSTS cache in the browser for testing: chrome://net-internals/#hsts (delete domain security policies)
4Fix SSL certificate issues before enabling HSTS — you cannot bypass certificate errors with HSTS active
5Only submit to the HSTS preload list after confirming HTTPS works perfectly on the domain and all subdomains

Related Items

http-content-security-policy-violation

More in 4xx Client Error

http-400-bad-requestHTTP 400 Bad Request — What It Means & How to Fix It

Error

http-401-unauthorizedHTTP 401 Unauthorized — What It Means & How to Fix It

Error

http-402-payment-requiredHTTP 402 Payment Required — What It Means & How to Fix It

Error

http-403-forbiddenHTTP 403 Forbidden — What It Means & How to Fix It

Error

http-404-not-foundHTTP 404 Not Found — What It Means & How to Fix It

Error

http-405-method-not-allowedHTTP 405 Method Not Allowed — What It Means & How to Fix It

Error

Frequently Asked Questions

Yes, but it takes months. Submit a removal request at hstspreload.org. The change must propagate through browser update cycles (Chrome, Firefox, Safari, Edge), which can take 3-6 months.

HSTS Strict-Transport-Security Error — HTTPS Enforcement and Preload Issues

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in 4xx Client Error

Frequently Asked Questions